The Fortra FileCatalyst Workflow is weak to an SQL injection vulnerability that would enable distant unauthenticated attackers to create rogue admin customers and manipulate information on the appliance database.
FileCatalyst Workflow is a web-based file trade and sharing platform supporting giant file sizes. It is utilized by organizations worldwide to speed up information transfers and collaborate in personal cloud areas.
The vital (CVSS v3.1: 9.8) vulnerability, tracked as CVE-2024-5276, was found on June 18, 2024, by Tenable researchers, however was made public solely yesterday.
Fortra explains in a security bulletin that the flaw permits admin person creation and database manipulation, however stealing information is not viable by way of it.
“A SQL Injection vulnerability in Fortra FileCatalyst Workflow permits an attacker to switch utility information,” reads Fortra’s bulletin.
“Doubtless impacts embody the creation of administrative customers and deletion or modification of knowledge within the utility database. Data exfiltration through SQL injection shouldn’t be doable utilizing this vulnerability.”
The flaw impacts FileCatalyst Workflow 5.1.6 Construct 135 and older variations. Fixes have been made obtainable in FileCatalyst Workflow 5.1.6 construct 139, which is the really helpful improve goal for customers.
Unauthenticated exploitation additionally requires that nameless entry is enabled on the goal occasion. In any other case, authentication is required to use CVE-2024-5276.
Public exploit obtainable
Tenable found CVE-2024-5276 on Could 15, 2024, and first disclosed the difficulty to Fortra on Could 22, together with a proof-of-concept (PoC) exploit demonstrating the vulnerability.
Concurrently to the publication of Fortra’s security bulletin, Tenable revealed its exploit, showcasing how an nameless distant attacker can carry out SQL injection through the ‘jobID’ parameter in numerous URL endpoints of the Workflow net app.
The issue is that the ‘findJob’ methodology makes use of a user-supplied ‘jobID’ with out sanitizing the enter to kind the ‘WHERE’ clause in an SQL question, permitting an attacker to insert malicious code.
Tenable’s script logs into the FileCatalyst Workflow utility anonymously and performs an SQL Injection through the ‘jobID’ parameter to insert a brand new admin person (‘operator’) with a identified password (‘password123’).
Ultimately, it retrieves the logon token and makes use of the newly created admin credentials to log in on the weak endpoint.
There have been no studies about lively exploitation of the difficulty, however the launch of a working exploit may change that very quickly.
In early 2023, the Clop ransomware gang exploited a Fortra GoAnywhere MFT zero-day vulnerability, tracked as CVE-2023-0669, in information theft assaults to blackmail tons of of organizations utilizing the product.
